OpenFISMA v3.2 rc0 released

The OpenFISMA project is an open source application designed to reduce the complexity and automate the regulatory requirements of the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).

Overview of New Features

This is our first major release in over 6 months, and it’s packed with new features and improvements. These release notes will cover some of the important new features that users may be interested in.

People added to Information Systems

Previously, users were given access to information systems however just because a user was assigned a particular role or permission did not mean they were filling that particular role for one system or another. To ensure users always know who the right point of contacts are for findings and incidents we have added the ability for administers to assign people to systems and organizations as well as titles. When a user views a finding or incident they will be able to see who has been assigned. For example you may want to define an Information Security Officer or a Business Owner. Out of the box we have defined three generic titles for you to use but feel free to customize to your needs.

To edit or assign people to an information system or ogranization, simply edit the People section when viewing the system or organization. Type the users name or email address you wish to assign and the system will auto populate the field with the correct information. If you are unsure of the users full name or email address just enter the known letters and the system will return a list for you to choose from.

A new administrative interface was added to allow the administrator to extend the default types of people. People can be added, edited and modified as needed. As usual this new administrative option can be found under the administrative section under the system inventory menu item.

Repeat Findings

Users can now link Findings with other Findings. Links can be used to represent findings which are repeats, duplicates, or related to other findings.  In the screen shot below the toggling of the “Add a New Link” field will result in a pop window that will include a drop down to select if it is a repeat, duplicate of related to a finding and the ID of the other finding.

The administrator shall also have the ability to create new associations and new tags. To add a link type, the user must click on the Add button. A pop up window with the Tag Name to be added is displayed.The user can add in here a new link type. To edit an existing link type, the user can toggle the Edit button next to the type that requires an edit.

FISMA Reportable Systems

Information Systems can now be designated as FISMA Reportable or not allowing users to search and report on only those systems which are FISMA reportable. Upon logging on as administrator or a user with privilege and selecting the System Inventory tab followed by selecting systems, user will see the following screen shot. The columns field will need to be toggled.

On toggling the Column tabs the user be able to select the FISMA Reportable field and will see the following:

Users can also view the FISMA Reportable column in the exportable excel or pdf file when they click on xls or pdf tabs.

Security Authorization Due Date

A new Security Authorization Due Date has been added to the FISMA Data tab of information systems. This field will be used to manually enter the due date for the next required Security Authorization. The screen shot below shows how the user with the necessary privileges can manually enter the due date for the next Security Authorization under the System View – Fisma Data tab.

On toggling the date filed in the Security Authorization field – the date can be changed or modified by personnel with approporiate access.

Audit Year

A new text field titled “Audit Year” was added to the Findings view. This feature allows a user with  privileges to edit findings to manually edit the audit year.  In the screen shot below we see that there is no Audit Year field.

A user with privilege to change optional fields can turn on or off the presence of the Audit Year Field.

Once the Audit Year Field has been toggled On, each finding will have the audit year displayed in the finding detail view as seen in the screenshot below.

The audit year is a searchable field allowing users to search by audit year.

Previous Finding and Next Finding Toggle Buttons

Users can now move from one finding to another without having to return to the search results. Previously users had to click to a view a record, then click back to go the search results and then find the next record. The screenshot below shows the addition of the Previous and Next Record buttons that can be used to move from one finding to another.

The previous and next record buttons are available from all the tabs for the finding.

Selection of Rows in Search Results by a User

In this release version users will be able to define their own preferred number of results as opposed to the default 10 rows per page that were displayed in every search result in the previous versions. The screenshot below shows the default selection of 10 records per page. This is true across all the modules i.e Findings –>Search, Vulnerabilities–>Search, Incidents–>Search. The Number of rows selection remains persistent across all the modules Findings, Vulnerabilities and Incidents.

Switching from Simple to Advanced Search

In previous versions the user had to select more than one button to go the advanced search options. However in this version and release, there  is an advanced search button added directly next to the search button that allows the user to go to the advanced mode with only one click. See screenshot below.


Default Assignee

A new field called default assignee was added to information systems and organization units. Any time a finding, vulnerability, or incident is created against a system or organization with a default assignee, that assignee will be notified and assigned with responsibility. Now users will be able to track and report on who has responsibility for findings, incidents, and vulnerabilities. A default assignee will be assigned when new sytems or organizations are created. The screenshot below shows the pre populated assignee field when a new finding is created.

Search for Comments and View Comments in Search Results

Users can now search for comments in simple and advanced searches. To view the comments in search results users must activate its visibility, the screenshot below highlights the new column.

Once the comments column has been activated, the comments column can been seen in search results, see the screenshot below.

When a user wants to add a comment they will have to add a comment in the findings detail as it appears below.

Category Code on Incident Summary Page

In previous versions the detailed view of an Incident had a category label item that says “Category:” but displayed the subcategory.  This release version ensures that the Category Code (i.e. CAT 1, CAT 2, CAT 3, etc.) is displayed in the incident detail tab, as these are directly related to US-CERT. The screenshot below shows the detail of the category and sub category that can be chosen when selecting the Category in the detailed incident view.

Once the user selects the category the field displays both the category and the sub category.

Ability to delete comments and attachments

Users can now delete comments they make as well as attachments they upload. Previously users could not modify any comment they added. The screenshot below depicts how a user can delete a comment for an incident

The screenshot below depicts how a user needs may delete an attachment.

Bulk Upload for Vulnerability Scan

The user can upload multiple vulnerability scanner files at one time. The system can upload Nessus or Qualys or Webinspect individually or can upload all of them together. The user will have the ability to select from 1 to 1000 scan files for the system to process.  The screenshot below shows the limitations for multiple scan uploads and the message that informs the users which browsers they can use/ not use for uploading multiple scan files.

The system can upload scan files that may be up to 100MB in size a piece.  A message is also displayed if the application has trouble uploading or parsing the file as shown in the screenshot below.

Asset Service Field

The administrator can tag assets based on if they are for development, test, pre-production, staging, or production. This is a select field that can be modified or attributes can be added to at a later time.

On selecting the particular asset the user can then select the environment/tag the asset as shown below.

In the System Inventory Administration Module, the asset tag can be modified or a new tag can be added as shown below.


Search Improvement

The user has the ability to search on all fields in the database and to export these results into excel format. The user can toggle on an off the columns or criteria by which they would like to search and  view the results. This can be seen in the screenshot below.

Severity Level Field

Users can now assign a severity level to incidents. Only one severity can be selected for each incident.

The severity field is configurable by an administrator so the organization may edit or add new severity levels as they see fit. Severity Levels can be added in the Incident Administration Tab as seen in the screenshot below:

Source Field

The user shall have the ability to select the source of each incident (ie, IDS, Antivirus, Human, Keylogger, etc). Each incident will have only one source.

The source field is also configurable . The organization in the incident administration mode can edit and add new source fields or detection mechanisms at a later date.    The screen shot below shows the addition, deletion and modification of the Source Field.

Resolution Field

The user has the ability to select a resolution (impact) for each incident.



This resolution field is also configurable so that the organization can edit and add new resolutions at a later date. Example Data: False Positive, Compromised, Inconclusive, Protection In Place. See screenshot below.



NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"